Does CISA's KEV Catalog Speed Up Remediation?

Vulnerabilities added to the CISA known exploited vulnerability (KEV) list do indeed get patched faster, but not fast enough.

A man swatting flying bugs
Source: Federico Caputo via Alamy Stock Photo

RSA CONFERENCE 2024 – San Francisco – When the Cybersecurity and Infrastructure Security Agency first introduced the Known Exploited Vulnerabilities (KEV) list in 2021, the intent was to provide government agencies and enterprises with a heads up about the most risky threats out in the wild. Nearly three years later, research shows the KEV list is speeding up remediation times, but there's more work to be done.

Former Congressman Jim Langevin was behind the CISA Binding Operational Directive legislation 22-01 that created the KEV list, and explains to Dark Reading that the intent was to provide enterprises with the same information being shared with government agencies about which vulnerabilities posed the greatest risk, and should therefore be prioritized for remediation. Vulnerabilities added to the KEV list are required to the mitigated for the federal government, not so for enterprises.

In order for a flaw to be added to the KEV list, it must have an assigned CVE, be known to have been exploited in the wild, and have a remediation available. Deadlines imposed by CISA to remediate among federal agencies varies from one week to six months, with ransomware vulnerabilities being treated with the most urgency, according to data from a new report from Bitsight that wanted to evaluate whether the list is working effectively.

Severity Scores Help Patch Prioritization

Bitsight reported that 35% organizations experienced a KEV in 2023 — 66% of which had more than one, 25% of which had more than five, and 10% of which had more than 10.

"Among medium-severity vulnerabilities, there is almost no difference in remediation speed," the report said. "However, the median critical KEV is remediated 2.6 times faster than a non-KEV counterpart, with high-severity KEVs remediated 1.8 times faster than non-KEVs."

Langevin is encouraged by the uptick in remediation timelines, however, many organizations are still struggling. Bugs that are being used in ransomware campaigns appear to get top priority for remediation among enterprise teams, the data showed.

"If we average out the relative drops, ransomware KEVs are fixed 2.5x faster (on average) than KEVs not known to be used in ransomware," the report added.

Meanwhile, non-profits and NGOs are the slowest to remediate, while tech companies and insurance and financial firms win the speed race.

Federal agencies also often struggle to meet stated CISA deadlines, but remediate a full 65% faster than all other sectors, Bitsight found. About 40% of vulnerabilities on the KEV list get fixed by the deadline, the report added.

To get faster, it's necessary for enterprises to stand up an effective vulnerability management system at the corporate level, gather context about the threat using the KEV list and other sources. Importantly, the Bitsight researchers urge organizations focus on measuring remediation rates with accountability for moving too slowly.

At its most fundamental, Langevin views the KEV list as an information source to provide context around the threat landscape.

Bitsight's VP of government affairs Jake Olcott adds the KEV list should help teams identify which bugs should be elevated to the highest levels of the business.

"KEVs are exactly the kind of vulns that should be discussed at the board level," Olcott explains to Dark Reading. "It helps articulate not just the cyber risk, but the business risk."

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights